CY0-001 Exam Dumps - CompTIA SecAI+ v1 Exam

Basic Concept: Protecting a released AI model from unauthorized modification requires controlling who can interact with it and at what privilege level. IAM-integrated API access provides granular, auditable control over model interactions. CompTIA SecAI+ Study Guide covers model protection through identity and access management integration.

Why D is Correct: Integrating an API with IAM roles ensures that all interactions with the model are authenticated and authorized according to precisely defined permissions. IAM roles enforce the principle of least privilege, ensuring users can query the model only within authorized scope and cannot modify model parameters, weights, or configuration. API-level access provides an abstraction layer that protects the underlying model from direct access while enabling controlled, auditable interactions.

Why A is Wrong: Changing to an LLM with guardrails addresses model behavior safety but does not protect the model artifacts themselves from tampering or unauthorized modification. It changes the model type rather than implementing access controls.

Why B is Wrong: Providing secure copies for local runtime distributes model copies to multiple endpoints, significantly increasing the attack surface for tampering. Each local copy represents a potential point of unauthorized modification.

Why C is Wrong: Restricting access to IT professionals is overly broad and vague. IT professionals may still need varying levels of access for different purposes, and generic role-based access without IAM integration and API mediation provides insufficient granularity to prevent unintentional modification.

Basic Concept: LLM API pricing is primarily based on token consumption — the number of tokens processed in both input prompts and output responses. Controlling token usage is the most direct lever for managing and reducing LLM API costs. CompTIA SecAI+ Study Guide covers AI cost management and resource controls under securing AI systems.

Why D is Correct: Adjusting token limits directly caps the maximum number of tokens used per request for both input and output. By setting appropriate token limits, the organization prevents excessively long prompts or verbose responses from consuming unnecessary tokens, directly translating to lower API costs and providing hard budget control.

Why A is Wrong: Prompt templates standardize how queries are structured, which can indirectly improve efficiency. However, they do not enforce a hard cap on token usage and cannot prevent costs from escalating with large volumes or verbose responses.

Why B is Wrong: Increasing CPU and memory addresses computational infrastructure performance on the client side. LLM API costs are billed by the API provider based on token usage, not on the client ' s hardware resources.

Why C is Wrong: Reducing model size means using a smaller, less powerful model version. While this may lower cost per token, it is a model selection decision, not an ongoing operational control that can be adjusted to manage cost in real time.

Basic Concept: Data integrity ensures that data has not been tampered with, corrupted, or modified during storage or transmission. For AI training data that is procured from external sources, cryptographic integrity verification is essential to confirm the data arrived unmodified. CompTIA SecAI+ Study Guide covers data integrity controls for AI data pipelines.

Why A is Correct: Implementing checksums provides cryptographic verification of data integrity. A checksum or hash value such as SHA-256 is computed from the dataset at the source. The receiver computes the same hash and compares it to the provided value. Any modification to the data during transit or storage will produce a different hash, immediately detecting tampering or corruption. This is the most reliable, automated, and scalable strategy for ensuring the integrity of procured training data.

Why B is Wrong: Human evaluation can verify data quality and relevance but is impractical for verifying integrity across large datasets of medical records. Human reviewers cannot detect subtle bit-level corruption or intentional small modifications, and the process is not scalable.

Why C is Wrong: Querying the model tests model performance rather than verifying the integrity of the underlying training data. The model cannot tell you whether its training data was modified after collection or during procurement.

Why D is Wrong: Log monitoring tracks system activities and events over time. While useful for auditing access to data, it cannot retroactively confirm that data content has not been modified and does not provide cryptographic integrity guarantees.

Basic Concept: In AI governance, each role holds distinct responsibilities. Understanding these roles is core to CompTIA SecAI+ Domain 4 (AI Governance, Risk, and Compliance).

Why D is Correct: The Data Scientist is responsible for translating business use cases into working AI/ML models. They analyze business requirements, identify the appropriate machine learning approach, and develop models that fulfill specific business objectives. According to the CompTIA SecAI+ Study Guide, data scientists bridge raw data and actionable AI solutions by building and validating models derived from business-driven needs.

Why A is Wrong: A Platform Architect designs and manages the infrastructure and technical platforms hosting AI systems. Their focus is architectural design of the environment, not model development from business use cases.

Why B is Wrong: An AI Risk Analyst identifies, evaluates, and mitigates risks associated with AI adoption. Their role is governance and risk-oriented, not model creation.

Why C is Wrong: An MLOps Engineer operationalizes, deploys, monitors, and maintains AI models in production. They take models already built by data scientists and ensure reliable operation at scale, not develop them from business use cases.

Basic Concept: A replay attack occurs when an attacker captures a valid authentication token or credential and reuses it to impersonate a legitimate user. Preventing replay attacks requires ensuring that captured credentials cannot be successfully reused after a defined period or after their intended single use. CompTIA SecAI+ Study Guide covers replay attack prevention under AI system authentication.

Why C is Correct: Expiring session tokens have a limited validity window, typically a few minutes to hours. If an attacker captures a token, they can only use it until it expires. Short expiration times dramatically reduce the window of opportunity for replay attacks. This is the most direct and effective control specifically targeting replay attack prevention, as expired tokens are rejected even if intercepted.

Why A is Wrong: IdP federation enables single sign-on across multiple systems using federated identity providers. While it standardizes authentication, it does not inherently prevent replay attacks on captured tokens unless combined with short token expiration and proper validation.

Why B is Wrong: SSH certificate authentication uses cryptographic certificates for strong authentication. While more secure than password-based SSH, certificates alone do not prevent replay attacks unless they include timestamps, nonces, or other anti-replay mechanisms that invalidate captured credentials.

Why D is Wrong: IAM access keys are long-lived credentials that provide programmatic access to services. They are typically static and do not expire automatically, making them vulnerable to replay attacks if intercepted. They are less suitable for replay attack prevention than expiring session tokens.

Basic Concept: Prompt engineers are responsible for designing and refining the prompts and instructions that guide an LLM ' s behavior. When user experience is declining after an LLM launch, this signals that the model ' s outputs are not meeting quality standards. CompTIA SecAI+ addresses prompt engineering quality management under securing and optimizing AI systems.

Why C is Correct: Quality control should be the highest priority when user experience is declining. Prompt engineers must systematically evaluate model responses against quality benchmarks, identify failure patterns causing poor user experience, and iteratively refine prompts to produce accurate, relevant, and appropriately formatted responses. Quality control encompasses testing, evaluation, and continuous improvement of prompt performance.

Why A is Wrong: Customer success management is a business function focused on customer relationship management and retention. While related to user experience outcomes, it is not a technical priority that prompt engineers can directly address through their core competency of prompt design and refinement.

Why B is Wrong: Sales life cycle management is a business process for managing customer acquisition and revenue. It is entirely outside the scope of prompt engineering activities and does not address declining LLM user experience.

Why D is Wrong: Business objectives define what the organization aims to achieve with the LLM deployment. These are set at the strategic level and inform the direction for prompt engineering. They are inputs to the quality control process rather than the priority action prompt engineers should take when experience is declining.

Basic Concept: End users are the employees who interact with AI systems daily and may inadvertently create compliance risks through their AI usage behaviors. Equipping users with clear guidance on acceptable and compliant AI use is the most effective way to reduce compliance violations at the user level. CompTIA SecAI+ Study Guide emphasizes policies and procedures as the foundational compliance tool for end users.

Why B is Correct: Policies and procedures directly inform end users of what AI-related behaviors are compliant, what is prohibited, and how to use AI tools safely and legally. Comprehensive AI usage policies covering acceptable use, data handling requirements, prohibited data inputs, and reporting obligations give users the knowledge they need to avoid compliance violations. Without clear policies, users cannot reliably identify compliant from non-compliant behavior.

Why A is Wrong: An AI center of excellence governs AI adoption at the organizational level, developing standards and approving use cases. While it benefits the organization overall, its governance activities are directed at organizational processes and technical standards rather than providing direct day-to-day compliance guidance to individual end users.

Why C is Wrong: Data loss prevention (DLP) technology automatically prevents the transmission of sensitive data through monitoring and blocking capabilities. While effective at preventing certain compliance violations technically, it cannot guide users on why certain behaviors are non-compliant or how to make compliant choices in situations DLP doesn ' t cover.

Why D is Wrong: MFA secures user authentication and prevents unauthorized account access. It is an identity security control that protects accounts, not a mechanism that helps users understand or comply with AI governance requirements.

Basic Concept: Infrastructure hardening for AI systems involves applying security baseline settings and eliminating unnecessary attack surfaces. CompTIA SecAI+ Exam Objectives identify configuration standards as the specific governance instrument that mandates infrastructure hardening requirements for AI deployments.

Why D is Correct: Configuration standards are formal, technical documents specifying exact security settings, baseline configurations, and hardening requirements that developers and administrators must implement to protect systems including AI infrastructure. They establish enforceable rules such as disabling unnecessary services, applying least-privilege access, and enforcing secure communication protocols specifically for AI systems.

Why A is Wrong: Intake processes govern how new projects, systems, or requests are evaluated and onboarded into an organization. They are procedural checkpoints for initial assessment, not technical hardening directives for developers.

Why B is Wrong: Acceptable use policies define appropriate ways employees and users may use organizational systems and AI tools. They are behavioral guidelines aimed at end users, not technical requirements instructing developers to secure infrastructure.

Why C is Wrong: Development guidelines provide best practices and recommendations for software development and may include security considerations. However, they are advisory in nature and broader in scope than the specific mandatory infrastructure-hardening requirements found in configuration standards.